Several of our users need password access to our server and I was hoping to leave the default of public key authentication in place and add Match keyword for the password users.

I am not sure if this is possible or if I am going about it the wrong way, I am assuming it is not possible as you can not have the ChallengeResponseAuthentication keyword within a Match block.

I have the reverse working, password by default and using the Match keyword to allow certain users to only be able to authenticate via public key. However this is not my preferred option as it requires every user to have a new Match block, rather than being excluded by default - I could and probably will forget to add a Match block for someone.

The only changes I have made are as follows :


PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM no

Match User anna
PasswordAuthentication yes
KbdInteractiveAuthentication yes

I'm running OpenSSH_4.7p1